Privacy Policy
Last updated: 13 February 2026
1. What we collect
- Merchant account data (business name, email, Shopify store URL).
- Klaviyo integration tokens (used to operate the service).
- Event metadata from abandoned cart flows (timestamps, cart IDs).
- Entry records (customer email hash, ticket ID, draw period, purchase confirmation).
2. How we use it
- Operate the Cartback service, including draw entry creation and winner selection.
- Compliance and regulatory reporting where required.
- Auditing and record-keeping for trade promotion obligations.
- Service improvements and analytics (aggregated, non-identifiable).
3. Sharing
We may share data with:
- Service providers (hosting, email delivery, payment processing) under data processing agreements.
- Regulatory bodies where required for compliance with trade promotion laws.
- We do not sell personal data to third parties.
4. Consent and legal basis
We process personal data on the basis of legitimate interest for service operation, including processing entries, running draws, and fulfilling prizes.
- Shoppers are automatically entered into the draw upon completing a purchase. There is no separate opt-in; clear disclosure is provided in promotional materials and merchant emails.
- Merchants consent to data processing via Shopify app installation and Klaviyo OAuth connection.
- Cartback does not send marketing communications to shoppers. All shopper-facing emails are transactional only (winner notification and entry confirmation).
5. Retention periods
We retain different categories of data for different periods:
| Data type | Retention period |
|---|---|
| Merchant account data | Duration of service + 7 years |
| Draw entry records | 7 years (trade promotion compliance) |
| Audit logs (draw operations, entries, winner selection) | 7 years minimum |
| Click tracking data (unconverted) | 90 days |
| Session data (shopper/admin cookies) | 7 days, auto-purged on expiry |
| OAuth tokens (Klaviyo) | Duration of integration, purged on disconnect |
| Webhook logs | 30 days |
| Aggregated analytics | Indefinite (non-identifiable) |
6. Your rights
You have the following rights in relation to your personal data:
- Access — request a copy of the data we hold about you.
- Correction — request correction of inaccurate or incomplete data.
- Deletion — request deletion of your data, subject to regulatory retention requirements. We will tell you what must be kept and why.
- Portability — request an export of your data in a machine-readable format.
- Objection — object to processing of your data.
To exercise any of these rights, email privacy@cartback.com.au. We will respond within 30 days.
GDPR: If you are located in the EU/EEA, you have equivalent rights under the General Data Protection Regulation and may lodge a complaint with your local supervisory authority.
Australian Privacy Act: You may complain to the Office of the Australian Information Commissioner (OAIC) if you believe your privacy has been breached.
7. Security
- All data is encrypted in transit (TLS 1.2+) and at rest.
- Email addresses are hashed using SHA-256 for entry matching. Plaintext email is only retained where operationally required (e.g. winner notification).
- Infrastructure is hosted on managed platforms (Vercel, Neon PostgreSQL) with SOC 2 compliance.
- Access to personal data is restricted to authorised staff on a need-to-know basis.
- All staff access to personal data is logged and auditable.
- We maintain a documented security incident response policy. See our Data Handling page for details.
8. Contact
For privacy-related requests, contact us at privacy@cartback.com.au.